From 1a052d8e70be02bf7846d79f470574e2a70ff4cd Mon Sep 17 00:00:00 2001
From: Vincent Chan <joy717.xmu@gmail.com>
Date: Wed, 17 Jun 2026 14:44:52 +0800
Subject: [PATCH] Fix invalid CORS config: disable credentials with wildcard
 origin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`allow_origins=["*"]` combined with `allow_credentials=True` is an
invalid CORS combination — browsers reject `Access-Control-Allow-Origin: *`
on credentialed requests, and Starlette works around it by reflecting the
request Origin, effectively allowing any site to send credentialed
requests.

This tool makes no use of browser-side credentials (the forum cookies are
sent server-side from cookies.txt), so set allow_credentials=False to keep
the open wildcard origin without the unsafe credential reflection.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 lottery_server.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lottery_server.py b/lottery_server.py
index 222b166..07be5f7 100644
--- a/lottery_server.py
+++ b/lottery_server.py
@@ -20,7 +20,7 @@
 app.add_middleware(
     CORSMiddleware,
     allow_origins=["*"],
-    allow_credentials=True,
+    allow_credentials=False,
     allow_methods=["*"],
     allow_headers=["*"],
 )